CN106201872A - A kind of running environment detection method of android system - Google Patents
A kind of running environment detection method of android system Download PDFInfo
- Publication number
- CN106201872A CN106201872A CN201610523168.XA CN201610523168A CN106201872A CN 106201872 A CN106201872 A CN 106201872A CN 201610523168 A CN201610523168 A CN 201610523168A CN 106201872 A CN106201872 A CN 106201872A
- Authority
- CN
- China
- Prior art keywords
- instruction
- address
- android
- running environment
- android system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3664—Environments for testing or debugging software
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses the running environment detection method of a kind of android system, the characteristic utilizing cache memory cache is Android simulator or Android prototype to detect the running environment of current android system;Including step: perform an instruction on the address of any one address, be set to old instruction;Writing a new instruction to $ address, new instruction is different from old instruction;Again perform the instruction of $ address;According to step 3) instruction execution result, obtaining performed instruction is new instruction or old instruction, and the running environment thus detecting current android system is Android simulator or Android prototype.The technical scheme that the present invention provides can effectively and easily reach to detect the purpose of android system running environment.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to the running environment detection method of a kind of android system.
Background technology
Along with the arrival of mobile Internet, Mobile solution exploitation is the most like a raging fire.Increase income because Android platform has
Free feature so that the market share of Android platform is greatly improved, but this give that manufacturer and user bring convenience same
Time also bring potential safety hazard.Current phone customer volume increases increasingly faster, especially China, and cellphone subscriber's amount has surpassed 1,000,000,000,
The Chinese of the most about 75% have the mobile phone of oneself.Just because of mobile phone is more and more intelligent, carries and be also convenient for, therefore many people
Privacy information is stored on mobile phone, and intangibly comes into the open under the scene of many places, and these information many virus authors just
Made earnest efforts.Malicious attacker, by running Android software at simulator, carries out certain operations the most again to trigger to software
Malicious act as much as possible, is then outputted in log, then carries out maliciously analyzing, in order to subtract further to daily record by script
Few this kind of event occurs, more and more important for the security study in Android mobile terminal.
Android system is divided into four layers, the one layer of offer service on which of each layer.The bottom is linux kernel, last layer
For Android class libraries and Android running environment, its last layer is application framework, and the superiors are application program.Wherein,
Android running environment includes Dalvik VM and java class storehouse.Although Android core is linux kernel, but its
Most of programs are Java exploitations, are run by DalvikVM.All of .class file and .jar file are by SDK
DX tool change becomes .dex form, when .class file is compiled by DX instrument, can remove the redundancy of the inside, and all
.class in integrating documents to file, improve performance, DX instrument also can carry out performance optimization to .dex file simultaneously, then
.dex file is run by Dalvik virtual machine.
The opening of Android also attracted while attracting numerous assailants widely security study personnel to its safety
Property enhancing work expand many research, and existing a lot of reality achievement.Research worker proposes based on Intel Virtualization Technology
Safe enhanced scheme.Pass through Intel Virtualization Technology, it is achieved public and private separation and Platform integration, and owing to virtual machine monitor has
More higher authority than operating system, it is possible to utilize it to complete the monitoring of platform behavior and management and control, thus improve whole system
Safety.
Android simulator brings great convenience for exploitation debugging application software, but assailant can be used to disliking
Meaning analyzes software.How to judge the running environment that Android application software is current, become the most issued application software of protection
A kind of mode.
Detecting Android application software current operating environment, current existing main flow is sentenced method and is included: (one) examines
Survey the method judging IMEI;Android prototype has unique IMEI number, and Android simulator is taken out is a string 0,
But, the IMEI of present simulator can revise;(2) method judging mac address is detected;Simulator the most all only has
Fixing several mac addresses, but, by some softwares, can also be modified in the mac address of simulator now.Therefore,
Existing above two method, is all difficult to the real safety to Android application software current operating environment and carries out accurately
Detection, it is difficult to realize the most issued Android application software is carried out safeguard protection.
Summary of the invention
In order to overcome above-mentioned the deficiencies in the prior art, the present invention provides the running environment detection side of a kind of android system
Method, the method characteristic based on cache memory cache detects Android simulator, it is judged that current Android system
The running environment of system is Android prototype or Android simulator, prevents malicious attacker from utilizing simulator to dislike with this
Meaning analyzes software.
The principle of the present invention is:
More levels of cache memory cache can be there is between CPU and internal memory to accelerate, instruction buffer is got up, keep away
Exempt from the internal memory of low speed to go instruction fetch again.Android phone is ARM framework (Advanced RISC mostly now
Machine, Advanced Reduced Instruction Set machine), ARM framework is 32 compacting instruction set processor frameworks, and it makes widely
It is used in many Embedded System Design, in ARM framework, has two-stage cache, but ARM divide into the cache of wherein one-level
Parallel two pieces, are that the speed buffering of the cache memory cache and storage data that store programmed instruction specially is deposited respectively
Reservoir cache, this storage by programmed instruction is referred to as Harvard framework (Harvard with the separate memory construction of data storage
Architecture), and what program instruction memory and data storage combined it is von Karman structure (von
Neumann architecture).Android SDK (Software Development Kit, SDK at present
Bag) simulator that provides is a set of to be drawn (Fabrice Bellard) to be named by Fabris shellfish based on QEMU, QEMU
Write with the analog processor of GPL license distribution source code, GNU/Linux platform uses extensively, QEMU is one and opens
The software of the analog processor in source, and simulator is the cache being not separated by, i.e. the speed buffering of simulator only one of which monoblock
Memorizer cache.In Harvard framework, the two cache is not to synchronize, and therefore the data value of a particular address is at one
Cache memory cache have updated, but at another cache memory cache without being updated.Example
In toward the cache memory cache of storage data, write data, the cache memory cache of storage instruction is
These data will not be write.The present invention i.e. utilizes Android simulator and Android prototype at cache memory
The difference of cache structure, by performing some instructions, ties cache memory cache according to last execution result
Structure judges, it is achieved detects the two and reaches the purpose distinguished.
Present invention provide the technical scheme that
The running environment detection method of a kind of android system, utilizes the characteristic of cache memory cache to detect
Current operating environment is Android simulator or Android prototype;Comprise the steps:
1) on the address of any one address, perform an instruction, be set to old instruction;
2) to address above mentioned address write a new instruction, described new instruction and step 1) described old instruct different;
3) instruction of address above mentioned $ address is again performed;
4) according to step 3) described instruction execution result, obtain step 3) performed by instruction be described new instruction or institute
State old instruction;When step 3) performed by instruction be described old instruction, the running environment of current android system is prototype;When
Step 3) performed by instruction be described new instruction, the running environment of current android system is Android analog machine.
Compared with prior art, the invention has the beneficial effects as follows:
Running environment for android system detects, and existing Android simulator detection method is mainly from spy
Fixed system value makes a distinction, and such as, uses getDeviceId (), getLine1Number () this class function etc.;And this
The method that method provides then is distinguished Android prototype from the architectural characteristic of cache memory cache and is simulated with Android
Device, effectively and has easily reached the purpose of the running environment detection of android system, has had novelty.
Accompanying drawing explanation
Fig. 1 is the FB(flow block) of the running environment detection method of the android system that the present invention provides.
Fig. 2 is Android prototype instruction execution flow block diagram.
Fig. 3 is Android simulator instruction execution flow block diagram.
Detailed description of the invention
Below in conjunction with the accompanying drawings, further describe the present invention by embodiment, but limit the model of the present invention never in any form
Enclose.
The present invention provides the running environment detection method of a kind of android system, utilizes cache memory cache's
It is Android simulator or Android prototype that characteristic detects current operating environment.The Android phone of currently the majority
Dou Shi Harvard framework (Harvard architecture), divide into parallel two the cache of two-stage cache wherein one-level
Block, is to store the cache memory cache of programmed instruction specially and store the cache memory of data respectively
cache.These two pieces of parallel cache are not to synchronize, and therefore the data value of a particular address is a caches
Device cache have updated, but at another cache memory cache without being updated.Fig. 2 is that Android is true
Machine instruction execution flow block diagram.Fig. 3 is Android simulator instruction execution flow block diagram.
The running environment detection method of android system that the present invention provides specifically includes following steps:
A. on any one address, perform to calculate the instruction of class, describe for convenience at this, therefore by named for this address
address。
A1., on prototype, this instruction can be write on the special cache memory cache storing instruction;
A2. and in simulator, the instruction of this calculating class will be written directly on cache memory cache;
Because simulator is with regard to the cache memory cache of a monoblock, therefore directly it is referred to as cache memory
Cache, it is not necessary to distinguish storage data and instruction.
B. a new instruction is write again to address above mentioned address;
B1. the new instruction on prototype can write the special cache memory cache storing data;
B2. simulator is then written directly on cache memory cache;
C. the instruction of address above mentioned $ address is performed.
The most now, on prototype, can be from the special cache memory cache reading instruction storing instruction, namely
The oldest instruction of instruction of the first step can be performed.And simulator directly reading instruction from cache memory cache, can be performed
The newest instruction of the instruction of two steps.So, we are that new instruction or old instruction are it may determine that work as according to the instruction results performed
The environment of front operation is simulator or prototype.
Because prototype is different with the structure of the cache memory cache of simulator, therefore, the present invention provides
The running environment detection method of android system, detects running environment by the architectural characteristic of cache memory cache
Whether it is simulator.Specifically, any one address performs calculate the instruction of class, write a new finger to address above mentioned again
Order, performs the instruction of address above mentioned, is first instruction or new instruction later judges that running environment is according to perform
Prototype or simulator.If be carried out is first the oldest instruction of instruction, then it is prototype, if be carried out is second instruction
I.e. new instruction, then be simulator.
Below by example, the present invention will be further described.
First following example are one section of codes of design, can again write an instruction to a specific address.Then by
Performing one time in come back to original address, therefore the present embodiment realizes with a circulation, to one specifically again
The code that location writes an instruction again is as follows:
__asm__volatile(
1"stmfd sp!,{r4-r8,lr}\n"
2 " mov r6, #0 n " be used for add up cycle-index, debug's
3 " mov r7, #0 n " for r7 compose initial value
4 " mov r8, pc n " 4,7 row are used for obtaining the address covering $ address " newly instruction "
5 " mov r4, #0 n " for r4 compose initial value
6 " add r7, #1 n " be used for covering " newly instruction " of $ address
7"ldr r5,[r8]\n"
8"code:\n"
9 " add r4, #1 n " here it is $ address, be that r4 is added 1
10 " mov r8, pc n " 10,11,12 row effect exactly the 9th row is write in the instruction of the 6th row
11"sub r8,#12\n"
12"str r5,[r8]\n"
13 " add r6, #1 n " r6 be used for count
14 " cmp r4, #10 n " control cycle-index
15"bge out\n"
16 " cmp r7, #10 n " control cycle-index
17"bge out\n"
18 " b code n " 10 interior circulations are recalled to
19"out:\n"
20 " mov r0, r4 n " using the value of r4 as return value
21"ldmfd sp!,{r4-r8,pc}\n"
);
According to code above, we can draw, r4 is if 10, then be just carried out is old instruction, is very
On machine.If r4 is equal to 1, that is, perform new instruction, be on simulator.
But, can suffer a problem that here, some internal memory not authority is written and read performing, and needs to open up one section newly
Memory headroom run the code that we write ourselves above.Solution is the mmap function in C language, the merit of this function
Can may be employed to open up one section of new internal memory, and give new memory headroom readable writeable executable authority, compiling above
Good machine code copies in this mmap function, and the initial address recalling the new internal memory that call function jumps to open up is come
Perform code above;Can use following code segment:
void(*call)(void);// function pointer call
#define PROT PROT_EXEC | PROT_WRITE | PROT_READ//readable is writeable performs authority
#define FLAGS MAP_ANONYMOUS|MAP_FIXED|MAP_SHARED
Char code []=// we above the machine code of design code
"\xF0\x41\x2D\xE9\x00\x60\xA0\xE3\x00\x70\xA0\xE3\x0F\x80\xA0\xE1"
"\x00\x40\xA0\xE3\x01\x70\x87\xE2\x00\x50\x98\xE5\x01\x40\x84\xE2"
"\x0F\x80\xA0\xE1\x0C\x80\x48\xE2\x00\x50\x88\xE5\x01\x60\x86\xE2"
"\x0A\x00\x54\xE3\x02\x00\x00\xAA\x0A\x00\x57\xE3\x00\x00\x00\xAA"
"\xF5\xFF\xFF\xEA\x04\x00\xA0\xE1\xF0\x81\xBD\xE8";
Void*exec=mmap ((void*) 0x10000000, (size_t) 4096, PROT, FLAGS ,-1, (off_t)
0);// application space
memcpy(exec,code,sizeof(code)+1);
Call=(void*) exec;// initial address in application space is assigned to function pointer call
call();// call call execution code
In this section of function above, we have applied for one section of readable writeable executable new internal memory, then assembly code
Machine code copy in internal memory, then call function pointer call and jump to the machine that the initial address of this block internal memory performs to replicate
Device code.Then we take the value of r4 later.
__asm__volatile(
" mov%0, r0 n "
: "=r " (a)
:
:
);
R0, during namely the value of r4 is put into a variable.Then different values is returned according to the value of a the most permissible.Conveniently exist
Judged result in application.On prototype, the result of test is it can be seen that the value of r4 is 10, and the result performed at simulator can be seen
Value to r4 is 1, so perform is new instruction.
It should be noted that publicizing and implementing the purpose of example is that help is further appreciated by the present invention, but the skill of this area
Art personnel are understood that various substitutions and modifications are all without departing from the present invention and spirit and scope of the appended claims
Possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim
Book defines in the range of standard.
Claims (2)
1. a running environment detection method for android system, utilizes the characteristic of cache memory cache to detect and works as
The running environment of front android system is Android simulator or Android prototype;Comprise the steps:
1) on the address of any one address, perform an instruction, be set to old instruction;
2) to address above mentioned address write a new instruction, described new instruction and step 1) described old instruct different;
3) instruction of address above mentioned $ address is again performed;
4) according to step 3) described instruction execution result, it is thus achieved that step 3) performed by instruction be described new instruction or described old
Instruction;When step 3) performed by instruction be described old instruction, the running environment of current android system is prototype;Work as step
3) instruction performed by is described new instruction, and the running environment of current android system is Android analog machine.
2. the running environment detection method of android system as claimed in claim 1, is characterized in that, when to described address $
When address does not has authority to be written and read performing, use C language mmap method and call call function and realize to described
The operation of the new instruction of address $ address write.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610523168.XA CN106201872A (en) | 2016-07-05 | 2016-07-05 | A kind of running environment detection method of android system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610523168.XA CN106201872A (en) | 2016-07-05 | 2016-07-05 | A kind of running environment detection method of android system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106201872A true CN106201872A (en) | 2016-12-07 |
Family
ID=57464842
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610523168.XA Pending CN106201872A (en) | 2016-07-05 | 2016-07-05 | A kind of running environment detection method of android system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106201872A (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106648835A (en) * | 2016-12-26 | 2017-05-10 | 武汉斗鱼网络科技有限公司 | Method and system for detecting running of Android application program in Android simulator |
CN107102886A (en) * | 2017-04-14 | 2017-08-29 | 北京洋浦伟业科技发展有限公司 | The detection method and device of Android simulator |
CN107526628A (en) * | 2017-09-30 | 2017-12-29 | 北京梆梆安全科技有限公司 | With reference to bottom instruction and the simulator detection method and device of configuration information |
CN107633170A (en) * | 2017-09-30 | 2018-01-26 | 北京梆梆安全科技有限公司 | A kind of Android simulator detection method and device of combination ardware feature and sensor |
CN107678834A (en) * | 2017-09-30 | 2018-02-09 | 北京梆梆安全科技有限公司 | A kind of Android simulator detection method and device based on hardware configuration |
CN107678833A (en) * | 2017-09-30 | 2018-02-09 | 北京梆梆安全科技有限公司 | Simulator detection method and device based on operation system information |
CN107729121A (en) * | 2017-09-30 | 2018-02-23 | 北京梆梆安全科技有限公司 | Simulator detection method and device |
CN107741907A (en) * | 2017-09-30 | 2018-02-27 | 北京梆梆安全科技有限公司 | With reference to bottom instruction and the simulator detection method and device of system information |
CN107908952A (en) * | 2017-10-25 | 2018-04-13 | 广州优视网络科技有限公司 | Identify the method, apparatus and terminal of prototype and simulator |
CN110196795A (en) * | 2018-06-21 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Detect the method and relevant apparatus of mobile terminal application operating status |
CN110245467A (en) * | 2019-05-13 | 2019-09-17 | 西北大学 | Android application program guard method based on Dex2C and LLVM |
CN111367752A (en) * | 2018-12-26 | 2020-07-03 | 卓望数码技术(深圳)有限公司 | Method, device and storage medium for identifying Android real machine and simulator |
CN111382416A (en) * | 2018-12-27 | 2020-07-07 | 北京右划网络科技有限公司 | Application program operation identification method and device, terminal equipment and storage medium |
CN111736900A (en) * | 2020-08-17 | 2020-10-02 | 广东省新一代通信与网络创新研究院 | Parallel double-channel cache design method and device |
CN112100615A (en) * | 2020-09-11 | 2020-12-18 | 北京明略昭辉科技有限公司 | Equipment identification method and device, storage medium and electronic equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6681321B1 (en) * | 2000-04-20 | 2004-01-20 | International Business Machines Corporation | Method system and apparatus for instruction execution tracing with out of order processors |
CN104461663A (en) * | 2014-12-30 | 2015-03-25 | 北京奇虎科技有限公司 | Method and device for loading other mobile terminal applications and mobile terminal |
-
2016
- 2016-07-05 CN CN201610523168.XA patent/CN106201872A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6681321B1 (en) * | 2000-04-20 | 2004-01-20 | International Business Machines Corporation | Method system and apparatus for instruction execution tracing with out of order processors |
CN104461663A (en) * | 2014-12-30 | 2015-03-25 | 北京奇虎科技有限公司 | Method and device for loading other mobile terminal applications and mobile terminal |
Non-Patent Citations (2)
Title |
---|
LEONNEWTON: "利用cache特性检测Android模拟器", 《HTTP://WOOYUN.JOZXING.CC/STATIC/DROPS/TIPS-13245.HTML》 * |
OMNISPACE: "利用cache特性检测Android模拟器", 《HTTP://BLOG.CSDN.NET/OMNISPACE/ARTICLE/DETAILS/50999165》 * |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106648835A (en) * | 2016-12-26 | 2017-05-10 | 武汉斗鱼网络科技有限公司 | Method and system for detecting running of Android application program in Android simulator |
CN107102886A (en) * | 2017-04-14 | 2017-08-29 | 北京洋浦伟业科技发展有限公司 | The detection method and device of Android simulator |
CN107526628A (en) * | 2017-09-30 | 2017-12-29 | 北京梆梆安全科技有限公司 | With reference to bottom instruction and the simulator detection method and device of configuration information |
CN107633170A (en) * | 2017-09-30 | 2018-01-26 | 北京梆梆安全科技有限公司 | A kind of Android simulator detection method and device of combination ardware feature and sensor |
CN107678834A (en) * | 2017-09-30 | 2018-02-09 | 北京梆梆安全科技有限公司 | A kind of Android simulator detection method and device based on hardware configuration |
CN107678833A (en) * | 2017-09-30 | 2018-02-09 | 北京梆梆安全科技有限公司 | Simulator detection method and device based on operation system information |
CN107729121A (en) * | 2017-09-30 | 2018-02-23 | 北京梆梆安全科技有限公司 | Simulator detection method and device |
CN107741907A (en) * | 2017-09-30 | 2018-02-27 | 北京梆梆安全科技有限公司 | With reference to bottom instruction and the simulator detection method and device of system information |
CN107908952B (en) * | 2017-10-25 | 2021-04-02 | 阿里巴巴(中国)有限公司 | Method and device for identifying real machine and simulator and terminal |
CN107908952A (en) * | 2017-10-25 | 2018-04-13 | 广州优视网络科技有限公司 | Identify the method, apparatus and terminal of prototype and simulator |
CN110196795A (en) * | 2018-06-21 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Detect the method and relevant apparatus of mobile terminal application operating status |
CN110196795B (en) * | 2018-06-21 | 2022-03-04 | 腾讯科技(深圳)有限公司 | Method and related device for detecting running state of mobile terminal application |
CN111367752A (en) * | 2018-12-26 | 2020-07-03 | 卓望数码技术(深圳)有限公司 | Method, device and storage medium for identifying Android real machine and simulator |
CN111367752B (en) * | 2018-12-26 | 2023-08-01 | 卓望数码技术(深圳)有限公司 | Method, device and storage medium for identifying Android true machine and simulator |
CN111382416A (en) * | 2018-12-27 | 2020-07-07 | 北京右划网络科技有限公司 | Application program operation identification method and device, terminal equipment and storage medium |
CN111382416B (en) * | 2018-12-27 | 2022-09-30 | 北京右划网络科技有限公司 | Application program operation identification method and device, terminal equipment and storage medium |
CN110245467A (en) * | 2019-05-13 | 2019-09-17 | 西北大学 | Android application program guard method based on Dex2C and LLVM |
CN110245467B (en) * | 2019-05-13 | 2023-02-07 | 西北大学 | Android application program protection method based on Dex2C and LLVM |
CN111736900A (en) * | 2020-08-17 | 2020-10-02 | 广东省新一代通信与网络创新研究院 | Parallel double-channel cache design method and device |
CN112100615A (en) * | 2020-09-11 | 2020-12-18 | 北京明略昭辉科技有限公司 | Equipment identification method and device, storage medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106201872A (en) | A kind of running environment detection method of android system | |
Cheng et al. | ROPecker: A generic and practical approach for defending against ROP attack | |
Hebbal et al. | Virtual machine introspection: Techniques and applications | |
Dautenhahn et al. | Nested kernel: An operating system architecture for intra-kernel privilege separation | |
Wang et al. | Numchecker: Detecting kernel control-flow modifying rootkits by using hardware performance counters | |
CN103064784B (en) | Towards Xen environment run-time memory leakage detection method and realize system | |
JP2004517390A (en) | Analysis virtual machine | |
CN103310152B (en) | Kernel state Rootkit detection method based on system virtualization technology | |
CN103793651B (en) | Based on the virtualized kernel integrity detection method of Xen | |
CN104715202A (en) | Hidden process detecting method and hidden process detecting device in virtual machine | |
Deng et al. | Introlib: Efficient and transparent library call introspection for malware forensics | |
CN106096455A (en) | A kind of main frame kernel data reduction protection method | |
Yehuda et al. | Hypervisor memory acquisition for ARM | |
Lee et al. | Kernel-level rootkits features to train learning models against namespace attacks on containers | |
Wang et al. | Making information hiding effective again | |
Zhan et al. | A low-overhead kernel object monitoring approach for virtual machine introspection | |
Wang et al. | Exploring efficient and robust virtual machine introspection techniques | |
Tian et al. | A policy‐centric approach to protecting OS kernel from vulnerable LKMs | |
Mao et al. | HVSM: An In-Out-VM security monitoring architecture in IAAS cloud | |
Gu et al. | Gemini: Guest-transparent honey files via hypervisor-level access redirection | |
Zhan et al. | Protecting critical files using target-based virtual machine introspection approach | |
Jin et al. | Hardware control flow integrity | |
Pan et al. | Lightweight and Efficient Hypervisor-Based Dynamic Binary Instrumentation and Analysis Method | |
Joy et al. | A host based kernel level rootkit detection mechanism using clustering technique | |
Tian et al. | KEcruiser: A novel control flow protection for kernel extensions |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161207 |
|
RJ01 | Rejection of invention patent application after publication |